Coming up: 21 Jan - training

Yireo - Trainings & extensions

Open main menu

The secuirty company Securatary discovered a vulnerability in Magento Go that allowed attackers to login into any other Magento Go account by modifying HTTP-headers in the browser. Magento (or eBay as Magento is now an eBay company) responded quickly and has fixed the issue.

Opening up for numerous scenarios

The hack was easy to replicate: Using a browser extension like the Firefox extension Modify Headers, the POST-request sent from within a source Magento Go account allowed to modify admin privileges in a destination Magento Go account. With this attack, it was possible to gain admin privileges in other Magento Go accounts.

This again opened up for other opportunities, the most disastrous being the ability to add fake orders using coupon codes. The main flaw seemed to have been present in the Magento Go code responsible for checking whether a POST-request sent for a specific domain was actually coming from that domain. Because this check was either not present or not working properly, it was possible to fool Magento Go by modifying HTTP-headers like the Host-header, the Location-header and cookie-domains.

The vulnerability was reported to Magento and fixed quickly afterwards.

Posted on 14 February 2014

Looking for a training in-house?

Let's get to it!

Do not miss out on what we say

This will be the most interesting spam you've ever read

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.

Sign up for the Yireo newsletter

Extensions

Legal information

Other Yireo sites

Get Social

About Yireo